Experience the difference of "Elite".

Stripe Connect and 3D Secure 2, Better Handling of Failed Cards, Last Minute Bookings w/o Security Holds

  • Posted on
  • By

Hey look - it's the first Hump Day of 2021! 🐫 Time to talk updates. Our list of updates is small this week but includes a huge Stripe/3DS2 update that was months in the making.

New Features

A couple months ago, we mentioned working on a large update for Stripe that would support Strong Customer Authentication and the 3D Secure 2 ("3DS2") standard.

To recap, 3DS2 provides an additional layer of security for online credit card payments by forcing the merchant and cardholder to stop and get an authentication from the cardholder prior to the transaction going through. It's complicated to build and support, but European laws now require European banks to support it effective January 1, 2021 (which was a few days ago). We believe that America and other regions will support it in the future, though it is believed that it will be a few years before American banks will fully require it.

Here's a quick animation of how it works:

Anytime the guest is making a payment - whether accepting a quote, on a channel or making a followup payment - the payment process reaches out to the cardholder's bank for active verification and the payment screens waits for confirmation.  The transaction cannot complete until the verification has been returned from your mobile app or however your bank verifies transactions with you.  This might be an SMS message that your bank asks you to confirm.  This might be a link to click on.  Whatever it is, the payment processes waits for this to complete prior to moving forward.

To pave the way for 3DS2 compliance, we've been working on setting up 3DS2-compliant payment processing with the processors that support it. We're happy to announce that we made the December 31 deadline!

Using Stripe, you can now fully handle 3DS2 credit card payments if you are a European merchant.

This also works with channel bookings through Vrbo, though that has to be turned on in your Vrbo account first.  Reach out to Vrbo and ask them about it if you're a European merchant and use Vrbo to take bookings.  Airbnb bookings don't have this problem because Airbnb does all of their own payment processing, so the bank verification process would happen on the Airbnb side where the guest is paying. Booking.com and TripAdvisor do not yet support 3DS2 for their bookings, but we will add it when they get it working.  On our side, everything is ready to go.

So how does OwnerRez look? For the most part, the OwnerRez app, control panel and guest forms all look the same as before.  We heavily tested all of our payment interaction points to make sure that the verification process happens correctly but the interface remains the same.  If you do happen to be the lucky European merchant that needs this, your guests will see something like this when they're confirming their booking:

For most of you, this new 3DS2 stuff will never be used because you're not a European merchant.  However, this work lays the foundation for other security enhancements that might affect you in the future.

We're proud to be one of the only vacation rental software platforms that now supports 3D Secure!

Enhancements and Tweaks

While we were working on the 3DS2 stuff, we made other changes to how payments, security holds and failed credit cards work.

We now store credit cards that failed to work when processing new Vrbo and Booking.com API bookings.  This is an important change because it allows you to try the card again if the guest tells you that the the failure was momentary - eg. fraud alert, temporary balance issue, AVS problem, etc.  Instead of having to enter the card again, you can simply re-run the same card that was stored from the first attempt.

We also update existing cards to have new information if the guest enters their payment information online and the card is the same. In the past, every time the payment information is entered by a guest, a new card is stored.  Most of the time the card is the same and only a minor detail - address change or expiration date - is updated, so we look for an existing card on file to update instead of creating a new one.

If you didn't know, you can also edit cards on file at any time to change things like expiration date or address if you need to.  Simply go to any booking, click on the Transactions tab and look at the Stored Cards list.  Click on any card and you can edit the details.  You can also edit credit cards for security holds as well.

Another great update is the ability to take last minute bookings when a security hold fails.  This was a common problem for a long time.  As an example, suppose that a guest is booking this upcoming weekend and owes a full payment and a security hold.  Because the booking is last minute, the security hold is due immediately.  In the past, OwnerRez would automatically attempt to take it all and if any part failed, the entire booking would roll back.  The guest's card would be hit for both a large payment and the security hold and, frequently, the security hold would fail after the payment succeeded.  This could be because of a security alert by the bank or an over-limit issue, but it would cause everything to roll back and the payment to be voided.  In some cases, another payment is not possible because the original charge is still "pending" on the bank account, even though it was marked as voided.  We changed our process so that security holds no longer stop last minute bookings from moving forward.  Instead, we now follow a similar pattern with channel bookings, and flag the security hold as failed and email the guest (and you the owner/PM) to alert you what happened.  This gives the guest time to use a different card and fix the problem.

In certain places throughout the interface, we have links to our support center, and we noticed that some of those support links open in different places - new tabs versus same tabs for instance.  We normalized that behavior so that the control panel always stays where you are when you click over into the support center.

Bug Fixes

Occupancy report last day off by one.  A shrewd user noticed that, depending on the month and criteria, the last day of the report was off by one and causing the percentages to go over 100%.  This has now been fixed.

2 Comments (add yours)

Le Touquet Holid
Jan 6, 2021 7:58 PM
Joined Nov, 2018 113 posts

Once a guest has authenticated once for a first partial payment would they be required to authenticate again for the scheduled balance and security hold?

Chris Hynes
Jan 7, 2021 7:30 PM
OR Team Member Joined Oct, 2012 1396 posts

When the guest is first entering their card, we notify the bank that there will be multiple transactions associated with the card and ask them to verify the card knowing there will be future transactions, but authentication for each payment is ultimately up to the card issuing bank.

If a subsequent automatic transaction fails, the guest will get the payment failed email so they can authorize the additional transactions directly.